[Update] Probable Zero-day Vulnerabilities Exploited in some SonicWall Secure Remote Access Products

Published on 24 Jan 2021

Updated on 21 Feb 2021

This is a third update to the alert. 

SonicWall has just released new firmware versions for both 10.x and 9.x codes on SMA 100 series products comprising SMA 200, 210, 400, 410 physical appliances and SMA 500v virtual appliances.

The new SMA 10.2 firmware includes code-hardening fixes identified during an internal code audit, roll-up of customer issue fixes not included in the 3 Feb 2021 patch, general performance enhancements, and previous SMA 100 series zero-day fixes posted on 3 Feb 2021. The new 9.0 firmware includes code-hardening fixes identified during an internal code audit. 

All organisations using SMA 100 series products with 10.x or 9.x firmware are advised to apply the respective 10.2.0.6-32sv and 9.0.0.10-28sv patches immediately. Organisations that have applied the previous patch (SMA 10.2.0.5-29sv) released on 3 Feb 2021 are still required to upgrade to the latest firmware while organisations which skipped the previous patch only need to apply the latest upgrade. Instructions can be found in the following links: https://www.sonicwall.com/support/knowledge-base/how-to-upgrade-firmware-on-sma-100-series-appliances/170502339501169/ and https://www.sonicwall.com/support/knowledge-base/smb-ssl-vpn-upgrading-firmware-on-sma-500v-virtual-appliance/170502851052498/.

More information can be found here:

https://www.sonicwall.com/support/product-notification/additional-sma-100-series-10-x-and-9-x-firmware-updates-required-updated-feb-19-2-p-m-cst/210122173415410/

 

 

Second update published on 4 Feb 2021 below:

SonicWall has confirmed a zero-day vulnerability (CVE-2021-20016) in their SMA Series 10.x codebase. The vulnerability is due to the improper neutralisation of SQL commands. Successful exploitation allows a remote unauthenticated attacker to perform SQL queries to access usernames, passwords and other session-related information. There are reports of active exploitation of this vulnerability.

The vulnerability affects SMA 200, SMA 210, SMA 400, SMA 410 and SMA 500v (Azure, AWS, ESXi and HyperV). SMA 100 firmware prior to 10.x is unaffected by this vulnerability.

The security patch to address this vulnerability is now available. Administrators of affected products are advised to apply this patch (SMA 10.2.0.5-29sv) immediately. Instructions can be found in the following links: https://www.sonicwall.com/support/knowledge-base/how-to-upgrade-firmware-on-sma-100-series-appliances/170502339501169/#:~:text=Now%20from%20the%20Web%20UI,new%20version%20in%20New%20Firmware. and https://www.sonicwall.com/support/knowledge-base/smb-ssl-vpn-upgrading-firmware-on-sma-500v-virtual-appliance/170502851052498/.

After applying the security update, system administrators are advised to reset the passwords for all users and enable multifactor authentication (MFA) as an enhanced security measure.

More information can be found here:

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0001

https://www.sonicwall.com/support/product-notification/urgent-security-notice-sonicwall-confirms-sma-100-series-10-x-zero-day-vulnerability-feb-3-6-a-m-cst/210122173415410/

https://www.bleepingcomputer.com/news/security/sonicwall-sma-100-zero-day-exploit-actively-used-in-the-wild/

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20016

 

 

First update published on 25 Jan 2021 below:

SonicWall has updated that with the exception of their SMA 100 Series products, all other products are not affected in the coordinated attack.

SonicWall is currently investigating their SMA 100 Series products. In the meantime, administrators of the SMA 100 Series products are recommended to create specific access rules or disable Virtual Office and HTTPS administrative access from the Internet. 

SonicWall has clarified that current SMA 100 Series customers may continue to use NetExtender for remote access as this use case has been determined to not be susceptible to exploitation.

Users and administrators are also advised to enable multi-factor authentication (MFA) on the SonicWall SMA, Firewall and MySonicWall accounts. Users of the affected products should refer to the company website regularly for updates and recommended actions.

More information is available here:

https://www.sonicwall.com/support/product-notification/urgent-security-notice-netextender-vpn-client-10-x-sma-100-series-vulnerability/210122173415410/

 

 

Original alert published on 24 Jan 2021 below:

SonicWall has identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall remote access products. 

The affected products are:

  • Secure Mobile Access (SMA) version 10.x running on SMA 200, SMA 210, SMA 400, SMA 410 physical appliances and the SMA 500v virtual appliance
  • NetExtender Virtual Private Network (VPN) client version 10.x (released in 2020) utilised to connect to SMA 100 series appliances and SonicWall firewalls

According to SonicWall, newer SMA 1000 series appliances are not affected. 

There are currently no patches available for the affected products. Users and administrators of affected products should apply the mitigating measures recommended by SonicWall, and heighten monitoring of remote access into their networks via affected products.

Users and administrators with active SMA 100 series appliances are advised to use a firewall to allow only SSL-VPN connections to the SMA appliance from known/whitelisted IPs and configure whitelist access on the SMA directly. Instructions can be found here: https://www.sonicwall.com/support/knowledge-base/how-to-restrict-access-for-netextender-mobile-connect-users-based-on-policy-for-ip-address/170502499350337/

Users and Administrators using NetExtender version 10.x are advised to disable NetExtender access to their firewall(s) or restrict access to users and admins via allow-list/whitelist for their public IPs. Instructions can be found here: https://www.sonicwall.com/support/knowledge-base/how-do-i-configure-the-ssl-vpn-feature-for-use-with-netextender-or-mobile-connect/170505401898786/

Users and administrators are also advised to enable multi-factor authentication (MFA) on all SonicWall SMA, Firewall and MySonicWall accounts. Instructions on enabling MFA can be found via the following links:

Users of affected SonicWall products should refer to the company website regularly for updates and recommended actions.

More information is available here:

https://www.sonicwall.com/support/product-notification/urgent-security-notice-netextender-vpn-client-10-x-sma-100-series-vulnerability/210122173415410/